You’ve Identified Security Risks with - Blue Sky eLearn · PDF fileYou’ve...
-
Upload
duongkhanh -
Category
Documents
-
view
213 -
download
0
Transcript of You’ve Identified Security Risks with - Blue Sky eLearn · PDF fileYou’ve...
My favorite three questions! 1. What’s at risk if we don’t do this? 2. Who is the business owner of this project? 3. What else should I know about this?
Can we change anything? » Are there other vendors in this space? » Have we already signed the contract? » Is this already deployed? » What application elements are configurable? » What processes do we manage directly?
Set context. What happens if… » …data is stolen or exposed?
• Types of data elements – PII, R&D, embarrassing… • Volume of records in the system
» …data gets modified or corrupted? • Transactions or decisions based on data points • Implications to life safety, medical treatment, financials…
» …system or data is unavailable? • Manual processes or alternate systems? How sustainable? • Can we adjust any deadlines? Wiggle room?
Where are breakdowns most likely?
A bad system will beat a good person every time. -W. Edwards Deming
Incident classification patterns 17.7%
16.3% 15.1%
15.0%
13.8%
12.4%
8.3% 0.8%
0.4% 0.2%
1/2 of all incidents are caused by
people.
N= 64,199
Source: 2016 Verizon Data Breach Investigations Report
Breach classification patterns 40.2%
23.2% 8.7%
7.6% 6.9%
5.5%
3.8%
2.5%
2.2%
2/3 of all breaches leverage app-level
vulnerabilities.
N= 2,260
Source: 2016 Verizon Data Breach Investigations Report
Access to confidential information
Source: 2016 Ponemon Institute: Closing Security Gaps to Protect Corporate Data
What’s the data value to others? Type US Europe, Canada, Australia
PCI w/code $5-$8 $20-$30
PHI $15 $25-$30
PII $15 $30-$35
“Fullz” $30 $35-$45
Bank/Pay accounts 5-12% of available balance
Source: 2015 McAfee Labs, The Hidden Data Economy
You can’t steal what’s not there! » Opaque identifiers vs. names/PII
• Breach notification avoidance
» Defined retention schedules • Fewer active records = lower breach impact
Business benefits of reduced PII in SaaS
» Fewer contract riders/faster legal review » Less cyber risk insurance coverage required
Poll #1: Cyber Risk Insurance Does your organization include a cyber risk insurance clause with minimum coverage amount in your vendor contracts?
1. Yes 2. No 3. Considering 4. Don’t know
Plan for phishing & fraud » Leverage federated authentication (SSO)
• Your people, your authentication system and logs
» Disable direct login wherever possible » Truncate PII wherever full data not required » Send confirmations by default, not opt-in
Increase the effort for payout » Reduce PII availability » Use 2FA for high-risk
transactions » Require segregation
of duties for high-risk business processes
Source: 2016 Hewlett Packard Enterprise: The Business of Hacking
Does the vendor know their CSP contract? We asked about… They replied… Physical locations, network diagram, most recent security audit?
“N/A since the data centers are operated by [CSP].”
Security Operations, SIEM, IPS?
“Since we don't operate any data centers, we rely on [CSP’s] capability in this space.”
Integrity/Confidentiality of stored data?
“We do not store any client data on our system. Data is stored either on MySQL database or on file systems managed by [CSP].”
Poll #2: Patching process breakdown In 2014, what percentage of all successful exploits attacked vulnerabilities for which patches/fixes had been available for more than a year?
1. 30% 2. 50% 3. 75% 4. 99.9%
Source: 2015 Verizon Data Breach Investigations Report
Application security practices? » “Because of the architecture of the system as
described previously, there are no specific security tests.”
» Should YOUR company perform testing? • Will business take any action? • Will the vendor do anything about vulnerabilities? • What’s at risk for the business?
Change management process? » Yours and theirs… » Not just post-production! » Are you reviewing their test/QA environment? » When are front-ends “open for business?” » Will you be part of change testing?
If you can’t prevent, then detect! » Changes to critical files » Volumes of transactions within regular periods
• Queries from a single account • Records updated within short time period • New/deleted records or accounts
» Alerts for specific activities • Changed configurations/business thresholds • Money movement above set $ amounts • Use of super admin accounts for overrides
Explore response options with business: » What if data is stolen or exposed?
• Do we take down the system, specific pages, data fields…? • Whom must we notify and when? • What are the long-term costs/losses?
» What if data gets modified or corrupted? • Do we take down system, specific pages, data fields…? • What are top priority recent transactions to verify or override? • What’s the data restoration plan?
» What if system or data is unavailable? • Manual processes or alternate systems? How long can we sustain? • Can we adjust any deadlines? Wiggle room?
Can the vendor support these
options?
Keep it in perspective! » What’s the risk of not doing this? » What are the most likely risks, and can we
reduce probability or loss from those? » Is the vendor responsive to enhancement
requests?